fixed #3206

zikula · Mar 19, 2019 · 64ea5cc · 64ea5cc · craigh · Mar 19, 2019
1 parent fa65ccf
commit 64ea5cc
Show file tree

Hide file tree

Showing 17 changed files with 117 additions and 749 deletions.
diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
@@ -23,6 +23,7 @@ CHANGELOG - ZIKULA 3.0.x
         - `Zikula\UsersModule\ProfileModule\ProfileModuleInterface` requires a new method `getBundleName()` to be implemented.
     - `Zikula\BlocksModule\AbstractBlockHandler` is not container aware anymore.
     - `Zikula\ExtensionsModule\Entity\ExtensionEntity` has renamed `core_min` to `coreCompatibility` and removed `core_max` property (#3649).
+    - Removed all classes from the `Zikula\Core\Token` namespace. If you need custom csrf tokens use [isCsrfTokenValid()](https://symfony.com/doc/current/security/csrf.html#generating-and-checking-csrf-tokens-manually) instead (#3206).
     - The `Zikula\Bundle\HookBundle\ServiceIdTrait` trait has been removed.
     - Dropped vendors:
         - Removed afarkas/html5shiv

diff --git a/src/lib/Zikula/Bundle/CoreBundle/Resources/config/services.yml b/src/lib/Zikula/Bundle/CoreBundle/Resources/config/services.yml
@@ -1,6 +1,3 @@
-parameters:
-    zikula_core.internal.token.max_life: 3600
-
 services:
     _defaults:
         autowire: true
@@ -84,13 +81,6 @@ services:
     Michelf\:
         resource: '../../../../../../vendor/michelf/php-markdown/Michelf/*'
 
-    Zikula\Core\Token\Storage: '@Zikula\Core\Token\Storage\SessionStorage'
-
-    Zikula\Core\Token\Generator:
-        arguments:
-            $secret: '_dummy'
-            $maxLifetime: '%zikula_core.internal.token.max_life%'
-
     # public because BootstrapBundlesCommand accesses this using container
     Zikula\Bundle\CoreBundle\Bundle\Helper\BootstrapHelper:
         public: true

diff --git a/src/lib/Zikula/Bundle/HookBundle/Controller/HookController.php b/src/lib/Zikula/Bundle/HookBundle/Controller/HookController.php
@@ -21,7 +21,6 @@
 use Zikula\Bundle\HookBundle\Dispatcher\HookDispatcherInterface;
 use Zikula\Common\Translator\TranslatorInterface;
 use Zikula\Common\Translator\TranslatorTrait;
-use Zikula\Core\Token\CsrfTokenHandler;
 use Zikula\ExtensionsModule\Entity\ExtensionEntity;
 use Zikula\ExtensionsModule\Entity\RepositoryInterface\ExtensionRepositoryInterface;
 use Zikula\PermissionsModule\Api\ApiInterface\PermissionApiInterface;
@@ -281,7 +280,9 @@ public function toggleSubscribeAreaStatusAction(
         HookDispatcherInterface $dispatcher
     ) {
         $this->setTranslator($translator);
-        $this->checkAjaxToken();
+        if (!$this->checkAjaxToken($request)) {
+            throw new AccessDeniedException();
+        }
 
         // get subscriberarea from POST
         $subscriberArea = $request->request->get('subscriberarea', '');
@@ -364,7 +365,9 @@ public function changeProviderAreaOrderAction(
         HookCollectorInterface $collector
     ) {
         $this->setTranslator($this->get('translator.default'));
-        $this->checkAjaxToken();
+        if (!$this->checkAjaxToken($request)) {
+            throw new AccessDeniedException();
+        }
 
         // get subscriberarea from POST
         $subscriberarea = $request->request->get('subscriberarea', '');
@@ -393,38 +396,32 @@ public function changeProviderAreaOrderAction(
         // set sorting
         $this->get('hook_dispatcher')->setBindOrder($subscriberarea, $providerarea);
 
-        $ol_id = $request->request->get('ol_id', '');
-
-        return $this->json(['result' => true, 'ol_id' => $ol_id]);
+        return $this->json(['result' => true]);
     }
 
     /**
      * Check the CSRF token.
-     * Checks will fall back to $token check if automatic checking fails
-     *
-     * @param CsrfTokenHandler $tokenHandler
-     * @param string $token Token, default null
      *
-     * @throws AccessDeniedException If the CSFR token fails
-     * @throws \Exception if request is not an XmlHttpRequest
+     * @param Request $request
      *
-     * @return void
+     * @return boolean
      */
-    private function checkAjaxToken(CsrfTokenHandler $tokenHandler, $token = null)
+    private function checkAjaxToken(Request $request)
     {
-        $currentRequest = $this->get('request_stack')->getCurrentRequest();
-        if (!$currentRequest->isXmlHttpRequest()) {
-            throw new \Exception();
+        if (!$request->isXmlHttpRequest()) {
+            return false;
         }
 
         $sessionName = $this->container->getParameter('zikula.session.name');
-        $sessionId = $currentRequest->cookies->get($sessionName, null);
+        $sessionId = $request->cookies->get($sessionName, null);
 
-        if ($sessionId == $currentRequest->getSession()->getId()) {
-            return;
+        if ($sessionId != $request->getSession()->getId()) {
+            return false;
         }
 
-        $tokenHandler->validate($token);
+        if (!$this->isCsrfTokenValid('hook-ui', $request->request->get('token'))) {
+            return false;
+        }
     }
 
     private function getExtensionsCapableOf(HookCollectorInterface $collector, ExtensionRepositoryInterface $extensionRepository, $type)

diff --git a/src/lib/Zikula/Bundle/HookBundle/Resources/public/js/hookui.js b/src/lib/Zikula/Bundle/HookBundle/Resources/public/js/hookui.js
@@ -143,14 +143,13 @@ var cloneDraggedItem = true;
      * @return none;
      */
     subscriberAreaToggle = function(sarea, parea) {
-        var pars = {
-            subscriberarea: sarea,
-            providerarea: parea
-        };
-
         $.ajax({
             url: Routing.generate('zikula_hook_hook_togglesubscribeareastatus'),
-            data: pars
+            data: {
+                token: $('#csrfToken').data('token'),
+                subscriberarea: sarea,
+                providerarea: parea
+            }
         }).done(function(data) {
             if (data.action == 'bind') {
                 if (!appendItemBeforeResponse) {
@@ -286,16 +285,15 @@ var cloneDraggedItem = true;
             providersAreas += '&providerarea[]=' + $($(this).attr('id') + '_a').val();
         });
 
-        var pars = 'ol_id=' + listId +
-                '&subscriberarea=' + subscriberArea +
-                providersAreas;
+        var parameters = 'subscriberarea=' + subscriberArea + providersAreas;
+        parameters += '&token=' + $('#csrfToken').data('token');
 
         $.ajax({
             url: Routing.generate('zikula_hook_hook_changeproviderareaorder'),
-            data: pars
+            data: parameters
         }).done(function(data) {
             // update new sort order
-            recolorListElements(data.ol_id, $('#' + data.ol_id).down(0).attr('id'));
+            recolorListElements(listId, $('#' + listId).down(0).attr('id'));
         }).fail(function(result) {
             alert(result.status + ': ' + result.statusText);
         });

diff --git a/src/lib/Zikula/Bundle/HookBundle/Resources/views/Hook/edit.html.twig b/src/lib/Zikula/Bundle/HookBundle/Resources/views/Hook/edit.html.twig
@@ -13,6 +13,8 @@
     {{ pageSetVar('title', __('Hooks')) }}
 </h3>
 
+<div id="csrfToken" class="hidden" data-token="{{ csrf_token('hook-ui') }}"></div>
+
 <div class="alert alert-info">{{ __('Drag items from the right column to the left column to connect the hooks. Only areas with the same category can be connected.') }}</div>
 {% if showBothPanels %}
     <div role="tabpanel">

diff --git a/src/lib/Zikula/Core/Token/CsrfTokenHandler.php b/src/lib/Zikula/Core/Token/CsrfTokenHandler.php